On Monday, April 29, 2024, Austrian Noyb - European Center for Digital Rights launched a complaint against OpenAI and its large language model (LLM) chatbot, ChatGPT.
The complaint alleges that the Microsoft-backed company is in breach of the European Union’s General Data Protection Regulation (GDPR).
The GDPR requires companies and organizations who are either based in the EU or store the data of persons based in the EU, to live up to a certain set of provisions regarding privacy and the storage of personal data.
These provisions include that individuals have access to the information stored about them, as well as the information be accurate and, where necessary, kept up to date. Incorrect data must be erased or rectified “without delay”.
Noyb alleges that OpenAI fails to meet these requirements.
“OpenAI openly admits that it is unable to correct incorrect information on ChatGPT,” says Noyb in a press release, elaborating that, “the company cannot say where the data comes from or what data ChatGPT stores about individual people.”
“Making up false information is quite problematic in itself,” says Maartje de Graaf, a data protection lawyer at Noyb.
“But when it comes to false information about individuals, there can be serious consequences. It’s clear that companies are currently unable to make chatbots like ChatGPT comply with EU law, when processing data about individuals. If a system cannot produce accurate and transparent results, it cannot be used to generate data about individuals. The technology has to follow the legal requirements, not the other way around.”
With its complaint, Noyb is requesting the Austrian Data Protection Authority (DSB) to investigate its claims and to uphold the complaint.
Noyb further requests that DSB takes appropriate corrective measures such as order OpenAI and ChatGPT to comply with GDPR legislation, and suggests that DSB imposes an “effective, proportionate and dissuasive fine” to ensure that OpenAI will comply with the GDPR in the future.